tests fixes and some product advisories tunes ups

2026-01-30 07:57:43 +02:00
parent 644887997c
commit 55744f6a39
345 changed files with 26290 additions and 2267 deletions
--- a/src/Platform/StellaOps.Platform.WebService/Constants/PlatformScopes.cs
+++ b/src/Platform/StellaOps.Platform.WebService/Constants/PlatformScopes.cs
@@ -25,4 +25,9 @@ public static class PlatformScopes
    public const string FunctionMapRead = "functionmap.read";
    public const string FunctionMapWrite = "functionmap.write";
    public const string FunctionMapVerify = "functionmap.verify";
+
+    // Policy interop (SPRINT_20260122_041)
+    public const string PolicyRead = "policy.read";
+    public const string PolicyWrite = "policy.write";
+    public const string PolicyEvaluate = "policy.evaluate";
 }
--- a/src/Platform/StellaOps.Platform.WebService/Program.cs
+++ b/src/Platform/StellaOps.Platform.WebService/Program.cs
@@ -112,6 +112,9 @@ builder.Services.AddAuthorization(options =>
    options.AddStellaOpsScopePolicy(PlatformPolicies.FunctionMapRead, PlatformScopes.FunctionMapRead);
    options.AddStellaOpsScopePolicy(PlatformPolicies.FunctionMapWrite, PlatformScopes.FunctionMapWrite);
    options.AddStellaOpsScopePolicy(PlatformPolicies.FunctionMapVerify, PlatformScopes.FunctionMapVerify);
+    options.AddStellaOpsScopePolicy(PlatformPolicies.PolicyRead, PlatformScopes.PolicyRead);
+    options.AddStellaOpsScopePolicy(PlatformPolicies.PolicyWrite, PlatformScopes.PolicyWrite);
+    options.AddStellaOpsScopePolicy(PlatformPolicies.PolicyEvaluate, PlatformScopes.PolicyEvaluate);
 });

 builder.Services.AddSingleton<PlatformRequestContextResolver>();
@@ -166,6 +169,9 @@ else

 builder.Services.AddSingleton<IScoreEvaluationService, ScoreEvaluationService>();

+// Policy interop services (import/export between JSON PolicyPack v2 and OPA/Rego)
+builder.Services.AddSingleton<IPolicyInteropService, PolicyInteropService>();
+
 // Function map services (RLV-009)
 builder.Services.AddSingleton<StellaOps.Scanner.Reachability.FunctionMap.Verification.IClaimVerifier,
    StellaOps.Scanner.Reachability.FunctionMap.Verification.ClaimVerifier>();
--- a/src/Platform/__Tests/StellaOps.Platform.WebService.Tests/PlatformWebApplicationFactory.cs
+++ b/src/Platform/__Tests/StellaOps.Platform.WebService.Tests/PlatformWebApplicationFactory.cs
@@ -1,8 +1,15 @@
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
+using Microsoft.AspNetCore.TestHost;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;

 namespace StellaOps.Platform.WebService.Tests;

@@ -24,11 +31,20 @@ public sealed class PlatformWebApplicationFactory : WebApplicationFactory<Progra

        builder.ConfigureAppConfiguration((context, config) =>
        {
-            // Add in-memory configuration to disable telemetry
+            // Add in-memory configuration to cover all required options
            config.AddInMemoryCollection(new Dictionary<string, string?>
            {
                ["Telemetry:Enabled"] = "false",
-                ["OTEL_SDK_DISABLED"] = "true"
+                ["OTEL_SDK_DISABLED"] = "true",
+                ["Platform:Authority:Issuer"] = "https://authority.local",
+                ["Platform:Authority:RequireHttpsMetadata"] = "false",
+                ["Platform:Authority:BypassNetworks:0"] = "127.0.0.1/32",
+                ["Platform:Authority:BypassNetworks:1"] = "::1/128",
+                ["Platform:Storage:Driver"] = "memory",
+                ["Platform:Storage:Schema"] = "platform",
+                ["Platform:AnalyticsMaintenance:Enabled"] = "false",
+                ["Platform:AnalyticsMaintenance:RunOnStartup"] = "false",
+                ["Platform:AnalyticsIngestion:Enabled"] = "false",
            });
        });

@@ -52,6 +68,78 @@ public sealed class PlatformWebApplicationFactory : WebApplicationFactory<Progra
            {
                services.Remove(descriptor);
            }
+
+            // Remove all background/hosted services that depend on external infrastructure
+            // (database connections, message queues, etc.) which are unavailable in tests
+            services.RemoveAll<IHostedService>();
+        });
+
+        // ConfigureTestServices runs AFTER Program.cs, so these registrations take priority
+        builder.ConfigureTestServices(services =>
+        {
+            // Replace authentication with a test scheme that always succeeds.
+            // WebApplicationFactory uses in-memory transport where RemoteIpAddress is null,
+            // so the bypass network evaluator cannot match and JWT auth has no token issuer.
+            services.AddAuthentication(TestAuthHandler.SchemeName)
+                .AddScheme<AuthenticationSchemeOptions, TestAuthHandler>(
+                    TestAuthHandler.SchemeName, _ => { });
+
+            // Override default authentication scheme so the test handler is actually invoked
+            services.PostConfigureAll<AuthenticationOptions>(options =>
+            {
+                options.DefaultAuthenticateScheme = TestAuthHandler.SchemeName;
+                options.DefaultChallengeScheme = TestAuthHandler.SchemeName;
+                options.DefaultScheme = TestAuthHandler.SchemeName;
+            });
+
+            // Replace the scope authorization handler with one that always succeeds
+            services.RemoveAll<Microsoft.AspNetCore.Authorization.IAuthorizationHandler>();
+            services.AddSingleton<Microsoft.AspNetCore.Authorization.IAuthorizationHandler,
+                TestAllowAllAuthorizationHandler>();
        });
    }
+
+    /// <summary>
+    /// Authentication handler that unconditionally succeeds with a minimal principal.
+    /// Tenant and actor are resolved from request headers by PlatformRequestContextResolver.
+    /// </summary>
+    private sealed class TestAuthHandler : AuthenticationHandler<AuthenticationSchemeOptions>
+    {
+        public const string SchemeName = "TestScheme";
+
+        public TestAuthHandler(
+            IOptionsMonitor<AuthenticationSchemeOptions> options,
+            ILoggerFactory logger,
+            UrlEncoder encoder)
+            : base(options, logger, encoder)
+        {
+        }
+
+        protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+        {
+            var identity = new ClaimsIdentity(SchemeName);
+            var principal = new ClaimsPrincipal(identity);
+            var ticket = new AuthenticationTicket(principal, SchemeName);
+            return Task.FromResult(AuthenticateResult.Success(ticket));
+        }
+    }
+
+    /// <summary>
+    /// Authorization handler that unconditionally succeeds for all requirements.
+    /// Replaces the StellaOps scope handler in test mode.
+    /// </summary>
+    private sealed class TestAllowAllAuthorizationHandler
+        : Microsoft.AspNetCore.Authorization.IAuthorizationHandler
+    {
+        public Task HandleAsync(
+            Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context)
+        {
+            foreach (var requirement in context.PendingRequirements.ToList())
+            {
+                context.Succeed(requirement);
+            }
+
+            return Task.CompletedTask;
+        }
+    }
 }